Ganneff's Little Blog

Thoughts of a small and very unimportant Debian Developer

Today I committed a little code change to our dak repository, implementing a “Valid-Until” field in the Release files. This should be used by apt in a way to horribly die if it can’t download a new Release file after the date given in that header. (Or well, present a nice message to the user. Whatever, same thing :) ). (This is intentionally not a client-side option, as this way the archives can define a (for them) sensible timeout)

Reason: We got Bugreport 499897 today, describing a possible attack wherein an adversary causes the vicitim to use an outdated copy of the security mirror, thereby preventing the victim from getting security updates. See the linked Bug (and the RT ticket linked from there) for more text on this.

As apt does the right thing and ignores unknown fields in Release files, I went and added the field already.

It would be great if we could have an apt implementing support for this in Lenny. A patch only addressing this change shouldn’t be too long. But as we are near a Release I don’t think thats too likely (feel free to prove me wrong), so I hope for a Lenny point release OR a Security Advisory for it (depending on how much the security team does want this feature).